I'm not able to parse the apache error logs. I keep getting these errors:
[0] "_grokparsefailure"
which means that there's an error in parsing the logs.
Apache Error Logs
[Wed Aug 17 20:00:00.661037 2022] [proxy:error] [pid 36621:tid 139697636505344] (111)Connection refused: AH00957: HCTCP: attempt to connect to 192.1.1.1:8009 (myserver.gc.ca) failed
In the patterns.d file, I have this
APACHE_ERROR_TIME %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}
APACHE_ERROR_LOG \[%{APACHE_ERROR_TIME:timestamp}\] \[%{WORD:source}:%{LOGLEVEL:loglevel}\] \[pid %{NUMBER:pid}:tid %{NUMBER:tid}\] (?:\[client %{IPORHOST:clientip}:%{POSINT:port}\] ){0,1}%{GREEDYDATA:errormsg}
In my apache-error-log.conf file, I have this:
grok {
patterns_dir => [ "/opt/logstash/patterns.d" ]
match => { "message" => "%{APACHE_ERROR_LOG}" }
}
I have no idea why I'm getting this "_grokparsefailure" error. Would anyone know where I might have gone wrong?
Thanks